Configuring Interface Security Parameters
Once you identify an ASA interface that will be connected to the network, you will need to apply the following three security parameters to it:
- Interface name
- IP address
- Security level
These parameters are explained in the following sections.
Naming the Interface
ASA interfaces are known by two different names:
- Hardware name: Specifies the interface type, hardware module, and port number. The hardware names of physical interfaces can include Ethernet0/0, Management0/0, and GigabitEthernet1/0. Hardware names of VLAN interfaces have a subinterface suffix, such as Ethernet0/0.1. Hardware names are predefined and cannot be changed.
- Interface name: Specifies the function of the interface, relative to its security posture. For example, an interface that faces the outside, untrusted world might be named “outside,” whereas an interface that faces the inside, trusted network might be named “inside.” Interface names are arbitrary. An ASA uses the interface name when security policies are applied.
To assign an interface name to an ASA interface, you must first enter the interface configuration mode. Then, you can define the interface hardware name with the following interface configuration command:
ciscoasa(config-if)# nameif if_name
In Example 3-11, interface Ethernet0/0 is configured with the interface name “outside.”
Example 3-11. Assigning an Interface Name
ciscoasa(config)# interface ethernet0/0 ciscoasa(config-if)# nameif outside
You can set the interface name in ASDM by editing an existing interface or adding a new interface. The interface name is set by entering the name into the Interface Name field.
Assigning an IP Address
To communicate with other devices on a network, an ASA interface needs its own IP address. (The only exception is when the ASA is configured to operate in transparent mode. This mode is covered in Chapter 12, “Using Transparent Firewall Mode.”)
You can use the following interface configuration command to assign a static IP address and subnet mask to an ASA interface, if one is known and available:
ciscoasa(config-if)# ip address ip-address [subnet-mask]
If you omit the subnet-mask parameter, the firewall assumes that a classful network (Class A, B, or C) is being used. For example, if the first octet of the IP address is 1 through 126 (188.8.131.52 through 184.108.40.206), a Class A subnet mask (255.0.0.0) is assumed.
If you use subnetting in your network, be sure to specify the correct subnet mask rather than the classful mask (255.0.0.0, 255.255.0.0, or 255.255.255.0) that the firewall derives from the IP address.
Continuing the process from Example 3-9, so that the outside interface is assigned IP address 192.168.254.2 with a subnet mask of 255.255.255.0, enter the following:
ciscoasa(config-if)# ip address 192.168.254.2 255.255.255.0
If the ASA is connected to a network that offers dynamic IP address assignment, you should not configure a static IP address on the interface. Instead, you can configure the ASA to request an IP address through DHCP or PPPoE. Only DHCP is covered in the FIREWALL course and exam.
You can use the following interface configuration command to force the interface to request its IP address from a DHCP server:
ciscoasa(config-if)# ip address dhcp [setroute]
Adding the setroute keyword causes the ASA to set its default route automatically, based on the default gateway parameter that is returned in the DHCP reply. This is handy because the default route should always correlate with the IP address that is given to the interface. If the setroute keyword is not entered, you will have to explicitly configure a default route.
Once the ASA obtains an IP address for the interface via DHCP, you can release and renew the DHCP lease by re-entering the ip address dhcp command.
You can set a static interface IP address in ASDM by editing an existing interface or adding a new one. First, select Use Static IP in the IP Address section, as shown previously in Figure 3-13, and then enter the IP address. For the subnet mask, you can type in a mask or select one from a drop-down menu.
If the interface requests an IP address through DHCP, select the Obtain Address via DHCP option. By default, the ASA will use the interface MAC address in the DHCP request. To get a default gateway automatically through DHCP, check the Obtain Default Route Through DHCP check box. You can click the Renew DHCP Lease button at any time to release and renew the DHCP lease.
Setting the Security Level
ASA platforms have some inherent security policies that are based on the relative trust or security level that has been assigned to each interface. Interfaces with a higher security level are considered to be more trusted than interfaces with a lower security level. The security levels can range from 0 (the least amount of trust) to 100 (the greatest amount of trust).
Usually, the “outside” interface that faces a public, untrusted network should receive security level 0. The “inside” interface that faces the community of trusted users should receive security level 100. Any other ASA interfaces that connect to other areas of the network should receive a security level between 1 and 99. Figure 3-14 shows a typical scenario with an ASA and three interfaces.
Figure 3-14. Example ASA with Interface Names and Unique Security Levels
By default, interface security levels must be unique so that the ASA can apply security policies across security-level boundaries. This is because of the two following inherent policies that an ASA uses to forward traffic between its interfaces:
- Traffic is allowed to flow from a higher-security interface to a lower-security interface (inside to outside, for example), provided that any access list, stateful inspection, and address translation requirements are met.
- Traffic from a lower-security interface to a higher one cannot pass unless additional explicit inspection and filtering checks are passed.
This concept is shown in Figure 3-15, applied to an ASA with only two interfaces.
Figure 3-15. Inherent Security Policies Between ASA Interfaces
In addition, the same two security policies apply to any number of interfaces. Figure 3-16 shows an ASA with three different interfaces and how traffic is inherently permitted to flow from higher-security interfaces toward lower-security interfaces. For example, traffic coming from the inside network (security level 100) can flow toward the DMZ network (security level 50) because the security levels are decreasing. As well, DMZ traffic (security level 50) can flow toward the outside network (security level 0).
Figure 3-16. Traffic Flows Are Permitted from Higher to Lower Security Levels
Traffic that is initiated in the opposite direction, from a lower security level toward a higher one, cannot pass so easily. Figure 3-17 shows the same ASA with three interfaces and the possible traffic flow patterns.
Figure 3-17. Traffic Flows Are Blocked from Lower to Higher Security Levels
You can assign a security level of 0 to 100 to an ASA interface with the following interface configuration command:
ciscoasa(config-if)# security-level level
From ASDM, you can set the security level when you edit an existing interface or add a new one.
Continuing from the configuration in the section, “Assigning an IP Address,” you can assign the outside interface with a security level of 0 by entering the following:
ciscoasa(config-if)# security-level 0
By default, interface security levels do not have to be unique on an ASA. However, if two interfaces have the same security level, the default security policy will not permit any traffic to pass between the two interfaces at all. You can override this behavior with the same-security-traffic permit inter-interface command.
In addition, there are two cases in which it is not possible to assign unique security levels to each ASA interface:
- The number of ASA interfaces is greater than the number of unique security level values: Because the security level can range from 0 to 100, there are 101 unique values. Some ASA platforms can support more than 101 VLAN interfaces, so it becomes impossible to give them all unique security levels. In this case, you can use the following command in global configuration mode so that you can reuse security level numbers and relax the security level constraint between interfaces, as shown in the left portion of Figure 3-18:
Figure 3-18. Permitting Traffic to Flow Across the Same Security Levels
ciscoasa(config)# same-security-traffic permit inter-interface
Traffic must enter and exit through the same interface, traversing the same security level: When an ASA is configured to support logical VPN connections, multiple connections might terminate on the same ASA interface. This VPN architecture looks much like the spokes of a wheel, where the ASA interface is at the hub or center. When traffic comes from one VPN spoke and enters another spoke, it essentially enters the ASA interface and comes out of one VPN connection, only to enter a different VPN connection and go back out the same interface. In effect, the VPN traffic follows a hairpin turn on a single interface.
If an ASA is configured for VPN connections, you can use the following command in global configuration mode to relax the security level constraint within an interface, as shown in the right portion of Figure 3-18:
ciscoasa(config)# same-security-traffic permit intra-interface
If you are using ASDM, you can accomplish the same tasks from the Configuration > Device Setup > Interfaces using the two check boxes at the bottom of the interface list, as illustrated in Figure 3-19.
Figure 3-19. Check Boxes to Permit Traffic to Traverse the Same Security Levels
Interface Security Parameters Example
The ASA in Figure 3-14 has three interfaces. Example 3-12 shows the commands that can be used to configure each of the interfaces with the necessary security parameters.
Example 3-12. Configuring the ASA Interfaces from Figure 3-14
ciscoasa(config)# interface ethernet0/0 ciscoasa(config-if)# nameif outside ciscoasa(config-if)# ip address 192.168.254.2 255.255.255.0 ciscoasa(config-if)# security-level 0 ciscoasa(config-if)# interface ethernet0/1 ciscoasa(config-if)# nameif inside ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0 ciscoasa(config-if)# security-level 100 ciscoasa(config-if)# interface ethernet0/2 ciscoasa(config-if)# nameif dmz ciscoasa(config-if)# ip address 192.168.100.1 255.255.255.0 ciscoasa(config-if)# security-level 50
As a comparison, Figure 3-20 shows the same outside interface configuration done in ASDM.
Figure 3-20. Configuring the Outside ASA Interface